Wiz
Blog

Mapping Your API Ecosystem: Wiz Expands API Discovery with Apigee

See your full Apigee architecture on the Wiz Security Graph, from API gateways and environments to every endpoint and its authorization scheme.

Bandhna Bedi, Mike McGuire, Gilad Hoze, Saar Shtalryd

Every modern application is stitched together by APIs. They connect your frontend to your backend, your services to each other, and your platform to your partners and customers. But for most security teams, APIs are a blind spot. They have become one of the fastest-growing attack surfaces in cloud environments. According to OWASP, broken authentication and excessive data exposure through APIs are among the most exploited vulnerabilities in production systems, and unlike most cloud misconfigurations, API risks often live outside the visibility of both security and platform teams.

What’s missing is visibility. Platform teams understand their API gateways, but that context stays in their console. Application security teams focus on code and dependencies, while the runtime API layer, how endpoints are deployed, authenticated, and exposed, is often missed. And when leadership asks "which of our APIs are exposed and how are they protected?", no single team has the full answer.

That is why we are bringing Google Cloud Apigee into the Wiz Security Graph. Wiz discovers and maps your Apigee architecture, including gateways, environments, proxies, endpoints, and authorization schemes, and connects it to the rest of your cloud. Available out of the box for any customer already scanning GCP, APIs are no longer a blind spot - they’re part of your security picture.

Seeing the full picture with Apigee on the Security Graph

Once your GCP Connector scans your environment, Wiz maps your full Apigee architecture onto the Security Graph, both Apigee X and Hybrid. Your gateways, environments, proxies, and every active API endpoint become visible alongside your cloud workloads, including each endpoint's host, path, HTTP method, and authorization scheme.

What makes this powerful for security teams is that for every active endpoint, Wiz looks at how it's authenticated, not just whether an auth header is present, but what's actually enforcing it.

Our scanning engine digs into the flow-level policies and pre/post request hooks in each proxy revision to identify the real mechanism: OAuth, API Key, Bearer, Basic Auth, SAML, HMAC. And when nothing's there, Wiz flags it.

But knowing an endpoint is unauthenticated is only part of the story. On the Security Graph, that endpoint is connected to the gateway serving it, the compute workload behind it, the data stores it can reach, and the network paths that determine who can access it from the outside.

Imagine your platform team deploys a new API proxy for a partner integration, but during a sprint the auth policy gets removed from one of the flows. On its own, it looks like a config gap, a cleanup task for the next sprint. But on the Security Graph, that unauthenticated endpoint is publicly reachable and connected to a backend with read access to a customer database. Same finding, completely different urgency when you see the full picture. That’s no longer a cleanup task that's a critical exposure that needs attention now.

By bringing Apigee onto the Security Graph, security teams are no longer seeing APIs in isolation, they’re understanding what's behind them, who can reach them, and the business impact misconfigured APIs could have.

Unlocking API risk context for every team

APIs change constantly. New proxies get deployed, configurations get updated, auth policies get modified. Wiz continuously scans your Apigee environment, so your API inventory stays current as your architecture evolves. That means every team is working from the same up-to-date picture:

  • Security leaders: Get a real-time answer to "what's our API exposure?". Every active endpoint, how it's authenticated, and what it connects to are visible alongside cloud risk without waiting on a quarterly audit.

  • Application security teams: Close the gap between what you see in code and what's actually deployed. When a vulnerability is found, teams can trace whether the endpoint it powers is actually deployed, publicly reachable, and what data sits behind it without a separate investigation.

  • Vulnerability management teams: When prioritizing the backlog, teams can factor in API exposure. A critical CVE behind a locked-down API is a very different urgency than the same CVE behind an open endpoint anyone can reach.

  • AI and platform engineers: As AI agents and automation frameworks increasingly call APIs autonomously, knowing which endpoints are exposed and how they're authenticated becomes critical. Wiz brings the same code-to-cloud context to your API layer that it brings to the rest of your environment, so your agentic workflows aren't operating across blind spots.

Attack Surface Finding on API endpoint hosted in Apigee

Get started today

If you're running Apigee X or Hybrid, head to the API Endpoints inventory in Wiz to start seeing Apigee endpoints on the Security Graph, no additional setup needed beyond the existing GCP Connector.

And if you're at Google Cloud Next this week, come see how Wiz is extending visibility from cloud to edge, bringing every layer of infrastructure into the same Security Graph where your cloud context already lives.

Tags
#Wiz Platform

Continue reading

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo